The Hacker News — Cyber Security, Hacking, Technology News

A series of recently disclosed critical Bluetooth flaws that affect billions of Android, iOS, Windows and Linux devices have now been discovered in millions of AI-based voice-activated personal assistants, including Google Home and Amazon Echo.

As estimated during the discovery of this devastating threat, several IoT and smart devices whose operating systems are often updated less frequently than smartphones and desktops are also vulnerable to BlueBorne.

BlueBorne is the name given to the sophisticated attack exploiting a total of eight Bluetooth implementation vulnerabilities that allow attackers within the range of the targeted devices to run malicious code, steal sensitive information, take complete control, and launch man-in-the-middle attacks.

What's worse? Triggering the BlueBorne exploit doesn't require victims to click any link or open any file—all without requiring user interaction. Also, most security products would likely not be able to detect the attack.

What's even scarier is that once an attacker gains control of one Bluetooth-enabled device, he/she can infect any or all devices on the same network.

These Bluetooth vulnerabilities were patched by Google for Android in September, Microsoft for Windows in July, Apple for iOS one year before disclosure, and Linux distributions also shortly after disclosure.

However, many of these 5 billion devices are still unpatched and open to attacks via these flaws.

IoT security firm Armis, who initially discovered this issue, has now disclosed that an estimated 20 million Amazon Echo and Google Home devices are also vulnerable to attacks leveraging the BlueBorne vulnerabilities.

If I split, around 15 million Amazon Echo and 5 million Google Home devices sold across the world are potentially at risk from BlueBorne.

Amazon Echo is affected by the following two vulnerabilities:

A remote code execution vulnerability in the Linux kernel (CVE-2017-1000251)

An information disclosure flaw in the SDP server (CVE-2017-1000250)

Since different Echo's variants use different operating systems, other Echo devices are affected by either the vulnerabilities found in Linux or Android.

This Android flaw can also be exploited to cause a denial-of-service (DoS) condition.

Since Bluetooth cannot be disabled on either of the voice-activated personal assistants, attackers within the range of the affected device can easily launch an attack.

Armis has also published a proof-of-concept (PoC) video showing how they were able to hack and manipulate an Amazon Echo device.

The security firm notified both Amazon and Google about its findings, and both companies have released patches and issued automatic updates for the Amazon Echo and Google Home that fixes the BlueBorne attacks.

Amazon Echo customers should confirm that their device is running v591448720 or later, while Google has not made any information regarding its version yet.

If you are using a Bluetooth enabled device, be it a smartphone, laptop, smart TV or any other IoT device, you are at risk of malware attacks that can carry out remotely to take over your device even without requiring any interaction from your side.

Security researchers have just discovered total 8 zero-day vulnerabilities in Bluetooth protocol that impact more than 5.3 Billion devices—from Android, iOS, Windows and Linux to the Internet of things (IoT) devices—using the short-range wireless communication technology.

Using these vulnerabilities, security researchers at IoT security firm Armis have devised an attack, dubbed BlueBorne, which could allow attackers to completely take over Bluetooth-enabled devices, spread malware, or even establish a "man-in-the-middle" connection to gain access to devices' critical data and networks without requiring any victim interaction.

All an attacker need is for the victim's device to have Bluetooth turned on and obviously, in close proximity to the attacker's device. Moreover, successful exploitation doesn't even require vulnerable devices to be paired with the attacker's device.

BlueBorne: Wormable Bluetooth Attack

What's more worrisome is that the BlueBorne attack could spread like the wormable WannaCry ransomware that emerged earlier this year and wrecked havoc by disrupting large companies and organisations worldwide.

Ben Seri, head of research team at Armis Labs, claims that during an experiment in the lab, his team was able to create a botnet network and install ransomware using the BlueBorne attack.

However, Seri believes that it is difficult for even a skilled attacker to create a universal wormable exploit that could find Bluetooth-enabled devices, target all platform together and spread automatically from one infected device to others.

"Unfortunately, this set of capabilities is extremely desireable to a hacker. BlueBorne can serve any malicious objective, such as cyber espionage, data theft, ransomware, and even creating large botnets out of IoT devices like the Mirai Botnet or mobile devices as with the recent WireX Botnet," Armis said.
"The BlueBorne attack vector surpasses the capabilities of most attack vectors by penetrating secure "air-gapped" networks which are disconnected from any other network, including the internet."

Apply Security Patches to Prevent Bluetooth Hacking

The security firm responsibly disclosed the vulnerabilities to all the major affected companies a few months ago—including Google, Apple and Microsoft, Samsung and Linux Foundation.

Google and Microsoft have already made security patches available to their customers, while Apple iOS devices running the most recent version of its mobile operating system (that is 10.x) are safe.

“Microsoft released security updates in July and customers who have Windows Update enabled and applied the security updates, are protected automatically. We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates.” – a Microsoft spokesperson said.

What's worst? All iOS devices with 9.3.5 or older versions and over 1.1 Billion active Android devices running older than Marshmallow (6.x) are vulnerable to the BlueBorne attack.

Moreover, millions of smart Bluetooth devices running a version of Linux are also vulnerable to the attack. Commercial and consumer-oriented Linux platform (Tizen OS), BlueZ and 3.3-rc1 are also vulnerable to at least one of the BlueBorne bugs.

Android users need to wait for security patches for their devices, as it depends on your device manufacturers.

In the meantime, they can install "BlueBorne Vulnerability Scanner" app (created by Armis team) from Google Play Store to check if their devices are vulnerable to BlueBorne attack or not. If found vulnerable, you are advised to turn off Bluetooth on your device when not in use.

Thomas Kilbride, a security researcher from security firm IOActive, have discovered several critical vulnerabilities in Segway Ninebot miniPRO that could be exploited by hackers to remotely take "full control" over the hoverboard within range and leave riders out-of-control.

Segway Ninebot miniPRO is a high-speed, self-balancing, two-wheel, hands-free electric scooter, also known as SUV of hoverboards, which also allows it riders to control the hoverboard by a Ninebot smartphone app remotely.

Bluetooth Low Energy, also known as Bluetooth Smart or Bluetooth 4, is the leading protocol designed for connecting IoT devices, medical equipment, smart homes and like most emerging technologies, security is often an afterthought.

As devices become more and more embedded in our daily lives, vulnerabilities have real impact on our digital and physical security.

Enter the Bluetooth lock, promising digital key convenience with temporary and Internet shareable access. The problem is, almost all of these locks have vulnerabilities, easily exploited via Bluetooth!

DEF CON always has the coolest new hacks and security news, and this year was no exception. The hacking conferences are a great way to get a pulse on the general status of the security world, what people are interested in, worried about, or looking to exploit.

This year clearly had an uptick in Internet of Things (IoT) devices and ways to hack them.

Obviously, we had to go and take a look at the Bluetooth lock hack, and we are not the only ones.

There were articles in a number of security and general tech sites about how vulnerable some of these locks are – a shocking 75% of them could be hacked relatively easily, and one reported to have great security could actually be broken into with a screwdriver.

The locks were from companies like BlueLock, Kwikset, Noke, August, BitLock, and QuickLock.

How to Hack a Bluetooth Lock:

There have been a number of different researchers who have tackled this problem, but Anthony Rose and Ben Ramsay out of Merculite Security did a great job of thoroughly going through a significant number of them, documenting the hacks and contacting the manufacturers.

Look for plaintext passwords: Many of the locks had passwords but were simply transmitting them in plaintext. Anyone with a decent Bluetooth sniffer like Ubertooth and some effort has just owned your password

Replay the signal: OK, great you’ve built in awesome encryption and I can't possibly hope to read and decrypt the signal you just sent to that lock. But I just capture and replay what you just sent, and the door opens wide.

Man in the Middle: Here I am, using one of the many Man in the Middle tools to sit in the middle of your connection and control everything you're transmitting to the device. There's *definitely* no way I could change what you’re transmitting (say, to keep the deadbolt from hearing a "lock" command).

The great news is that we found a video of Zero_Chaos and Granolocks at Pwnie Express that show all of this stuff in action and tools you can actually use to detect these hacks in action.

Locks are not the only Bluetooth devices shown to be vulnerable. Here’s a quick list of just some of the devices that have already been found vulnerable:

Cars

Teakettles and coffee machines

Medical devices (including implanted ones)

Fitness trackers

This news should be worrying for people who have invested in a cheap Bluetooth lock for their convenience, and such attacks could be a real problem just waiting to happen.

Do you need a FitBit Tracker while jogging or running or even sleeping?

Bad News! FitBit can be hacked that could allow hackers to infect any PC connected to it.

What's more surprising?

Hacking FitBit doesn't take more than just 10 Seconds.

Axelle Aprville, a researcher at the security company Fortinet, demonstrated "How to hack a Fitbit in only 10 seconds," at the Hack.Lu conference in Luxembourg.

Aprville's test was a proof of concept (POC) that did not actually focus on executing malicious payload, rather a logical attack.

By using only Bluetooth, Aprville was able to modify data on steps and distance. However, she said it is possible to infect the device in an attempt to spread malware to synced devices.

Fitbit Flex tracker is a flexible wristband that measures health statistics, such as blood pressure and heart rate.

The Flex is a product of Fitbit, and its salient features are:

It can wake you up with a silent vibration alarm.

The device is water-repellent.

The sensor can be removed (and used with other Flex wristbands).

It is synchronized via USB and can be used via the Fitbit app.

It does wireless syncing via Bluetooth.

It has an OLED display.

THE HACK

The hack, which was reported to Fitbit in March, makes use of the open Bluetooth connection of a Fitbit wearable.

According to the researcher, an attacker can send malware to the wearable fitness tracker nearby at a Bluetooth distance, which would then be transferred to any PC the Fitbit came into contact with.

Once infected, whenever the victim wishes to sync his or her fitness data with FitBit servers, the wearable tracker responds to the query, "but in addition to the standard message, the response is tainted with the infected code," Aprville told the Reg.

"From there, [the fitness tracker] can deliver a specific malicious payload on the [PC], that is, start a backdoor, or have the [system] crash [and] can propagate the infection to other trackers," Aprville added.

Video Demonstration

You can watch the video demonstration of the Fitbit Hack by Axelle Apvrille, which shows the attack in work.

How Does the Hack Work?

Here's How the researcher performed the "10 seconds" hack:

Reverse engineer the Fitbit protocols and manipulate the number of tracked steps and distance covered by the user.

After this, send a malicious payload (size: 17 bytes) over the Bluetooth signal to the wireless tracker.

Now, transmit this payload to a computer.

The things worth noticing are:

Tearing down Fitbit Flex and its USB dongle the researcher demonstrated how hackers could exploit the vulnerability to create fake exercise data and add as many rewards as they wanted.

Aprville was able to connect to the wireless band and infect it too.

Any laptop or PC that connects with the infected wearable device can potentially be infected with a trojan, backdoor, or whatever the attacker wants.

The device could work as a hardware Random Number Generator (RNG).

Could spy on users.

Aprville also mentions that the device's communication is over XML and Bluetooth Low Energy while encryption and decryption occur on the wearable device, and not on the dongle that is "outside of the security boundaries."

FitBit – Flaws Reported in Fitbit are 'FALSE'

Learning about the vulnerability in the Fitbit Flex trackers the company responded by saying, "We believe that security issues reported today are false, and that Fitbit devices can't be used to infect users with malware."

A spokesperson from Fitbit said Fortinet first contacted Fitbit in March to report a low-severity issue unrelated to malicious software.

And...

"Since that time we've maintained an open channel of communication with Fortinet. We haven't seen any data to indicate that it is possible to use a tracker to distribute malware."

According to the company, Fitbit has a history of working closely with the research communities and it always welcomes thoughts and feedback from security researchers.

We are living in an era of smart devices that we sync with our smartphones and make our lives very simple and easy, but these smart devices that inter-operates with our phones could leave our important and personal data wide open to hackers and cybercriminals.

Security researchers have demonstrated that the data sent between a Smartwatch and an Android smartphone is not too secure and could be a subject to brute force hacks by attackers to intercept and decode users' data, including everything from text messages to Google Hangout chats and Facebook conversations.

Well this happens because the bluetooth communication between most Smartwatches and Android devices rely on a six-digit PIN code in order to transfer information between them in a secure manner. Six-digit Pin means approx one million possible keys, which can be easily brute-forced by attackers into exposing entire conversations in plain text.

Researchers from the Romania-based security firm Bitdefender carried out a proof-of-concept hack against a Samsung Gear Live smartwatch and a paired Google Nexus 4 handset running Android L Preview. Only by using sniffing tools available at that moment, the researchers found that the PIN obfuscating the Bluetooth connection between both devices was easily brute forced by them.

Brute force attack is where a nearby hacker attempts every possible combination until finding the correct one. Once found the right match, they were able to monitor the information transferring between the smartwatch and the smartphone.

VIDEO DEMONSTRATION

You can watch the Proof-of-Concept video below, ran on a Samsung Gear Live smartwatch and a paired Google Nexus 4 device running Android L Preview.

The researchers explained that their findings were "pretty consistent with [their] expectations" and without a great deal of effort, an encrypted communications between wearable technology and smartphones could be cracked and left open to prying eyes.

This new discovery is important particularly for those who are concerned about their personal data, and considering the increase in the market of smartwatches and wearable devices at the moment, the discovery will definitely made you to think before using one.

HOW TO PROTECT YOURSELF FROM SUCH ATTACKS

To protect yourself to be a victim of such attacks, use Near Field Communication (NFC) to safely transmit a PIN code to compatible smartwatches during pairing, but that would likely increase the cost and complexity of the devices. In addition, "using passphrases is also tedious as it would involve manually typing a possibly randomly generated string onto the wearable smartwatch," the report said.

Another option is to use original equipment manufacturers (OEMs) by Google as an alternative to make data transfers between either device more secure. "Or we could supersede the entire Bluetooth encryption between Android device and smartwatch and use a secondary layer of encryption at the application level," the report offered. There are almost certainly other potential fixes available.

In the era of Smart devices, we have Smartphones, Smart TVs, Smart Fridges, and even the Smart cars! We have made our life very easy and comfortable by providing the master control of every task to such smart devices.

But imagine if an attacker wants to take revenge or hurt someone, now they can hack your car, rather failing breaks in the traditional way. Sounds Horrible !

WELL, Two Security researchers - Javier Vazquez-Vidal and Alberto Garcia Illera have developed a home-made gadget called 'CAN Hacking Tools (CHT)', a tiny device smaller than your Smartphone, which is enough to hack your Cars.

The Kit costs less than $20, but is far capable to give away the entire control of your car to an attacker from windows and headlights to its steering and brakes.

The device uses the Controller Area Network (CAN) ports that are built into cars for computer-system checks, and draws power from the car’s electrical system. Injecting a malicious code to CAN ports allows an attacker to send wireless commands remotely from a computer. Once hackers take hold of this network they can control lights, locks, steering and even brakes.

“It can take five minutes or less to hook it up and then walk away,” says Vazquez Vidal to Forbes, adding, “We could wait one minute or one year, and then trigger it to do whatever we have programmed it to do.”

They have already tested their CHT device on four different vehicles and successfully did tricks, including applying Emergency brakes while the car was in motion that could potentially cause a sudden stop in traffic, switching off headlights, setting off alarms, and affecting the steering.

Till now their device is capable to communicate via Bluetooth only, which is limited to minor range, but soon they will upgrade it to use a GSM cellular radio that would make their device possible to control from miles away.

“All the ingredients of their tool are off-the-shelf components, so that even if the device is discovered, it wouldn’t necessarily provide clues as to who planted it. It’s totally untraceable”, says Vazquez Vidal. “A car is a mini network,” says his second partner Garcia Illera adding, “And right now there’s no security implemented.”

Cyber Criminals will not let any way out without making Money. Another huge Credit Card theft and this time they targeted Gas Stations.

13 men were suspected and charged for stealing banking information, using Bluetooth enabled Credit Card Skimmers planted on the gas stations throughout the Southern United States.

They made more than $2 Million by downloading the ATM information, as well as PIN numbers from the gas pumps and then used the data to draw cash from the ATMs in Manhattan.

Manhattan District Attorney Cyrus R. Vanceexplained the operation that the skimming devices were internally installed so was undetectable to the people who paid at the pumps and the devices were Bluetooth enabled, so it did not need any physical access in order to obtain the stolen personal identifying information.

“By using skimming devices planted inside gas station pumps, these defendants are accused of fueling the fastest growing crime in the country. Cybercriminals and identity thieves are not limited to, any geographic region, working throughout the world behind computers.”

Approximately in between March 2012 to March 2013, the suspects used the forged card for withdrawing cash from the ATMs, and then deposited that stolen money into bank accounts in New York. The other members of the involved, then promptly withdrew that money at banks in California or Nevada.

“Each of the defendants’ transactions was under $10,000. They were allegedly structured in a manner to avoid any cash transaction reporting requirements imposed by law and to disguise the nature, ownership, and control of the defendants’ criminal proceeds. From March 26, 2012, to March 28, 2013, the defendants are accused of laundering approximately $2.1 million.”

The four top defendants out of 13 – Garegin Spasrtalyan, age 40, Aram Martirosian, age 34, Hayk Dzhandzhapanyan, age 40, and Davit Kudugulyan, age 42 – are considered as the lead defendants and are charged with Money Laundering theft and possession of a forgery device and forgery instruments. The other criminals are charged with two counts of Money Laundering theft.